In its Winter 2015 “Supervisory Insights” publication, the Federal Deposit Insurance Corporation (“FDIC”) released A Framework for Cybersecurity, detailing the ever-evolving cyber threat landscape and highlighting actions taken and resources provided by the FDIC and other federal banking agencies in response to the threat of cyber attack.
The framework article is just the latest outreach by the FDIC on the issue of cyber security. Since 2014, the FDIC has taken several steps to help financial institutions mitigate their risk of cyber attack. These steps, which include information sharing and practical cyber security tools, are part of an overall increase in federal regulatory oversight of critical infrastructure sectors, including financial institutions. The increased oversight stems from the rapidly “evolving threat landscape,” including the rise of malware, distributed denial-of-service (DDoS) attacks, and sophisticated compound cyber attacks. As part of its cyber security awareness campaign, the FDIC has urged institutions to take full advantage of available government-sponsored security resources. Additionally, the FDIC has developed its own security exercises and resources to increase awareness of potential risks and provide actionable assistance.
FDIC Resources for Cyber security
The FDIC has provided several valuable resources for financial institutions to use to better inform and guide their cyber security practices. First, the FDIC has posted several cyber-related videos on its website. These “Cybersecurity Awareness” videos are designed to assist bank directors with understanding cyber security risks and risk management, provide an overview of the evolution of data security, and outline the components of a traditional information security program. “Corporate Governance Technical Assistance” focuses on the role of the bank director in supervising the bank’s cyber security protocols and staying informed. “Information Technology Technical Assistance” enhances bank directors’ awareness of effective risk management practices. “Outsourcing Technology Services” helps banks to manage risks when outsourcing tasks to outside vendors.
Second, the FDIC has developed a series of videos – “Cyber Challenge,” – which provide financial institution managers with vignettes depicting seven different cyber attack scenarios. These training tools help financial institutions to identify and address real cyber security risks and readiness issues and identify techniques to mitigate those risk.
Additionally, the FDIC has partnered with the Federal Financial Institutions Examination Council (FFIEC) to propagate several resources for financial institutions. These resources include the FFIEC’s official Statements on “Cyber Attacks Involving Extortion,” “Destructive Malware,” “Cyber Attacks Compromising Credentials,” and “Cybersecurity Threat and Vulnerability Monitoring and Sharing,” available at www.ffiec.gov, and a webinar and assessment tool for bank directors and CEOs to educate themselves on the pervasiveness of cyber threats and assess their cyber security preparedness.
Related Federal Recommendations and Cyber Security Resources
The federal government has established several recommended, voluntary frameworks to enhance security, privacy, and business confidentiality. In February 2013, the President issued Executive Order 13636, “Improving Critical Infrastructure Cybersecurity,” which established a federal policy of cybersecurity enhancement and directed the National Institute of Standards and Technology (NIST) to develop a set of (voluntary) cybersecurity standards and best practices. The NIST then collaborated with various industry groups and government agencies to create and issue version 1.0 of its Framework for Improving Critical Infrastructure Cybersecurity in 2014, consisting of five core ideas: Identify, Protect, Detect, Respond, and Recover.
Additionally, the Federal Financial Institutions Examination Council (FFIEC) – of which the FDIC is a member – issued its “Cybersecurity Threat and Vulnerability Monitoring and Sharing Statement” in late 2014, recommending that financial institutions implement a program for gathering, analyzing, understanding, and sharing information, thereby creating “actionable intelligence” about cyber threats which can be aggregated and shared among public and private sources.
The FFIEC further encouraged financial institutions to share this actionable intelligence by participating in the Financial Services Information Sharing and Analysis Center (FS-ISAC). The FS-ISAC facilitates the sharing of information and provides several membership benefits including webinars, workshops, and threat exercises. Participating financial institutions receive weekly cyber updates detailing important cyber events of the week and providing strategies for action.
For instance, in 2013, institutions participating in the FFIEC, including the FDIC, assisted in creating the Cybersecurity and Critical Infrastructure Working Group (CCIWG), which assessed community banks’ cyber security management and preparedness. The CCIWG uses this information to review existing regulatory guidance and identify gaps. Updated relevant regulatory guidance can be found on the CCIWG’s website, www.ffiec.gov/cybersecurity.htm.
Finally, the Department of Homeland Security provides cyber threat alerts through its U.S. Computer Emergency Readiness Team (US-CERT). A financial institution can subscribe to US-CERT and receive these alerts along with other educational materials and assistance.
Cyber threats are a substantial risk for any entity connected to the Internet, and they continue to evolve rapidly. Along with many other federal agencies, the FDIC has provided a number of on-line resources to assist financial institutions and their leaders in understanding and mitigating this risk.